OpenStack / Cloud / Virtualizaton / Linux

RHEL6 – Managing SELinux Booleans

This is my second post on SELinux. In case you missed the first one you can read it here. Today we are going to specifically discuss SELinux booleans

According to fedoraproject.org ,"SELinux booleans enable runtime customization of the SELinux policy. SELinux policy in Fedora has several booleans that allow you to quickly toggle a particular change in the policy." However i think its easier to explain them as SELinux configurations and settings that can be easily toggled on or toggled off.

The command getsebool -a is used to display available booleans, while setsebool is used to modify them. Using setsebool with the -P options makes that modification persistent across reboots.

To display a detailed list or booleans with descriptions run semanage boolean -l

Some common SELinux booleans are below.

ftp_home_dir -> off Allow ftp to read and write files in the user home directories

httpd_enable_cgi -> on Allow httpd cgi support

sftpd_anon_write -> off Allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.

allow_ftpd_anon_write -> off Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.